.

XSS

<<

lovewadhwa

Newbie
Newbie

Posts: 16

Joined: Mon Jun 04, 2007 8:11 am

Post Thu Jul 26, 2007 4:49 am

XSS

Hi all
i am receiving the following  in my access logs  if i do run a scanner indicating that XSS test has been successful.

%A7%A2%BE%BC
%F3%E3%F2%E9%F0%F4%BE%E1%EC%E5%F2%F4%A8%A7XSS%20Test%20Successful%A7%A9%
BC%AF%F3%E3%F2%E9%F0%F4%BE

I could not get the conversion of it although i have consulted many conversion tables.Normally for XSS to be successful we have to use either "script" or "<" or ">" and many more.But i am not getting the conversion of the above to these characters.So i need to know to what exactly is this getting converted and how it has resulted in XSS.
<<

jimbob

Post Thu Jul 26, 2007 7:51 am

Re: XSS

Hi,
Just to clarify, can you confirm you're running a tool to test for XSS on your site and see a JavaScript popup box. What tool are you running and on what web server?

The encoding looks strange, it's clearly not all ASCII-7 and eight-bit ASCII just shows garbage. Perhaps the tools is sending unicode and this is mangling the web server access logs.

Jim
<<

lovewadhwa

Newbie
Newbie

Posts: 16

Joined: Mon Jun 04, 2007 8:11 am

Post Thu Aug 02, 2007 6:36 am

Re: XSS

hi
I do have to prevent XSS but i don't have the idea what exactly character set encoding has to do with this.If i do filter some special characters , then i believe that would be a solution for XSS.But then where this encoding specification comes into play and what exactly it means.Moreover if i filter the special characters by converting them to their hex equivalents then i believe XSS could even be launched from hex equivalents.Plz provide me a good information explaining the whole business.This is getting confusing.i read the article at
http://www.cert.org/tech_tips/malicious ... ation.html
but it seems to be confusing regardin charset encoding and all that.Plz help
<<

heffnercj

EH-Net Columnist
EH-Net Columnist

Posts: 69

Joined: Thu Mar 15, 2007 2:45 pm

Post Thu Aug 02, 2007 8:02 pm

Re: XSS

ilovewadhwa,

I have no idea what encoding this is using (don't know much about the different character encodings), but each hex value is 128 bytes above the normal ASCII values. This is interesting because ASCII values range from values 0-127. Subtracting 128 from each encoded value and converting it to ASCII gives you:

'"><script>alert('XSS Test Successful')</script>

Which is a pretty standard XSS test string. Whatever encoding it is using, it's probably not supported by most Web applications, so unless you are using some special encoding it probably isn't working (it depends though).

Like jimbob said, it's not ASCII-7 or regular ASCII. Also doesn't appear to be UTF-8 or unicode. If you could tell us if this string actually produces a pop-up box, and if so, what type of Web application/database you are using, it would help.
Last edited by heffnercj on Thu Aug 02, 2007 8:14 pm, edited 1 time in total.
<<

lovewadhwa

Newbie
Newbie

Posts: 16

Joined: Mon Jun 04, 2007 8:11 am

Post Tue Aug 07, 2007 12:04 am

Re: XSS

hi
thanx a lot 4 ur assistance.it isn't producing any pop box.

What i do need to know is that how encoding specification in html coding helps preventing these attacks.Means i have been reading articles on the same and they say that specifying the character encoding helps prevent XSS since it helps in determining special characters.Now i am n;t getting this.Plz explain how does that happen and how charset encoding specification helps prevent XSS.

Return to Other

Who is online

Users browsing this forum: No registered users and 0 guests

cron
.
Powered by phpBB® Forum Software © phpBB Group.
Designed by ST Software